A protocol and three reference implementations for stitching independently-operated radio receivers into a federation of sovereign gateways — with HTTPS+WSS transport and AES-256-GCM session envelopes end to end.
Aviation telemetry — the public stream of position, identity, and intent broadcast by every commercial aircraft over open radio bands — is one of the largest open data sources in the world. It has also, quietly, become one of the most centralized. A handful of commercial aggregators ingest from tens of thousands of volunteer feeders, normalize and resell the result, and contractually restrict redistribution.
MeshSky proposes a different shape for the same data:
a federation of independently-operated gateways with end-to-end
encrypted, authenticated transport, in which every operator owns
what they produce and every consumer assembles the wider view at
read time. The protocol is HTTPS for request/response and WSS for
streaming; every payload is wrapped in an AES-256-GCM envelope
keyed off a per-session secret and AAD-bound to the session ID.
Reference implementations exist for all three tiers
(meshsky-feeder, meshsky-airbridge,
meshsky-controltower) and are released under the MIT
license.
This document presents the vision, the architecture, the wire protocol, the security model, the operational economics, and the roadmap. It is intended for operators who want to run a piece of the mesh, integrators who want to consume from it, and reviewers who want to evaluate it as critical-infrastructure software.
meshsky:// URI for gateway discovery that bundles
a 64-hex node identity and one or more transport hints, so a
feeder needs exactly one string to join a sovereign gateway.
wiedehopf/mlat-client and
wiedehopf/mlat-server binaries as separate OS
processes, leaving the MIT Node code path untouched.
Aviation telemetry was open before it was anything else. ADS-B, UAT, and Mode-S broadcasts are unencrypted by design, legal to receive in nearly every jurisdiction, and inexpensive to decode — an <$30 software-defined radio and a roof-mounted antenna are enough to participate. The volunteer community has built decoders, antennas, and trackers for two decades.
That foundation has become quietly proprietary. Most volunteer feeders today push their decoded frames into one or two commercial aggregators in exchange for a free premium account on the same site. The aggregators normalize, deduplicate, and resell the merged data to airlines, dispatchers, insurance firms, and the press. Redistribution is contractually restricted; the volunteers who produce the data cannot redistribute the merged version of it.
We do not argue that the existing aggregators are doing anything wrong — running a global aggregator is hard and expensive. We argue that the dataset is too important to live only there. Search-and-rescue, journalism, climate research, flight-school operators, hobbyist developers, and academic researchers all benefit from a redistribution-friendly alternative. So does any operator who wants to own the data they produce on the way out the door.
A single-vendor service has obvious failure modes: a billing dispute, a rate-limit, a regional outage, or a quiet term-of-service change can sever an integration overnight. A federated set of independent gateways — each operated by a different person or organization, each authoritative only for what its own feeders send it — is robust against any single one of those events. A consumer that fans reads across several gateways degrades gracefully when any one of them disappears.
We deliberately did not build a peer-to-peer mesh. GossipSub,
libp2p, QUIC overlays, and Voronoi sharding are attractive in
the literature but they pay for problems MeshSky does not have.
Aircraft telemetry tables are small (tens of kilobytes), update
rates are modest, the network is bandwidth-asymmetric (volunteer
uplinks are slow), and operators want to debug their own
gateways with curl. A federated topology over plain
HTTPS and authenticated WebSockets is dramatically easier to
operate, audit, and extend than a peer-to-peer overlay, and
gives up nothing meaningful for this workload.
Five principles drive every concrete decision in the rest of the document. They are listed here so a reader can decide whether to keep going.
Every payload that carries aircraft data is encrypted with a per-session AES-256-GCM key, AAD-bound to the session ID. The transport is TLS, but TLS only protects the leg between the consumer and the gateway; the GCM envelope authenticates the data itself.
Each AirBridge holds only what its own feeders fed it. Gateways do not push aircraft data to one another. The wider view is assembled at read time by a controltower that opens sessions against several gateways in parallel and unions the answers. There is no single “source of truth” that can be compromised or coerced into rewriting history.
Multilateration uses the battle-tested
wiedehopf/mlat-client and
wiedehopf/mlat-server binaries, which are
GPLv3. They are invoked strictly as separate OS processes
and communicate over UNIX sockets. Nothing GPL-licensed is
ever linked into the MIT-licensed Node code. This is the
standard mechanism for combining permissive and copyleft
code without forcing a license change.
The feeder daemon never opens a listening port. It pushes over WSS, reconnects with full-jitter exponential backoff, and never accepts inbound connections. A volunteer running a feeder on a home network has no inbound attack surface to harden.
The reference implementations are MIT, the docs are public, and the wire format is shared verbatim across all three repos. The project is a protocol and a set of reference implementations — not a hosted product with a permission-to-use directory.
MeshSky is built as three cooperating tiers linked over plain HTTPS and authenticated WebSockets. Every tier is independently operable, and every gateway is sovereign — it sees only what its own feeders sent it. A controltower assembles the wider picture by reading from many gateways in parallel.
┌──────────────────────────┐
│ ControlTower │
│ (Cloudflare Worker + DO) │
└──────────┬───────────────┘
│ HTTPS + WSS, AES-256-GCM
▼
┌───────────────┴───────────────┐
│ AirBridge gateways (sovereign)│
│ /global/aircraft /global/stream
│ /peers/aircraft /global/aircraft/{hex}/track
│ /feeder/uplink /global/aircraft/{hex}/history
│ + history (RAM ring + SQLite)│
│ + optional mlat-server (GPL) │
└───────────────┬───────────────┘
│ WSS, AES-256-GCM
▼
┌───────────────┴───────────────┐
│ Feeders (outbound-only) │
│ dump1090 / readsb (Beast) │
│ + optional mlat-client (GPL) │
└───────────────────────────────┘
A feeder is the front door to the mesh. It is a small,
outbound-only Node daemon that runs on the same host (or the
same LAN) as a Beast-protocol SDR decoder —
dump1090-fa, dump1090-mutability, or
wiedehopf/readsb. The daemon:
MASTER_ENCRYPTION_KEY.
DUMP1090_SOURCES list for
multi-radio hosts) and ships every Beast frame upstream
inside an AES-256-GCM envelope.
gpsd for
GPS-disciplined timing and reports it to the gateway over
POST /feeder/receiver.
wiedehopf/mlat-client as a child process and
forwards its sync stream over the same encrypted WSS uplink.
replicate for redundancy or
shard for split bandwidth.
The reference image runs on a Raspberry Pi 3B+ or newer with an RTL-SDR Blog v3 and a roof-mounted 1090 MHz antenna. A single feeder uses tens of kilobits per second of upstream bandwidth even in dense traffic.
AirBridge is the connective tissue. An AirBridge gateway is a single Node process (Fastify + a WebSocket server) that:
/feeder/uplink.
AircraftTracker keyed by
ICAO hex.
TrackRing (default 200 points / 30 minutes
per ICAO) plus a durable SQLite store
(better-sqlite3, WAL mode, default 7-day
retention with hourly pruning).
wiedehopf/mlat-server as a separate process and
ingests its solutions over a UNIX socket.
/global/aircraft, plus per-ICAO
/track and /history) and a WSS push
stream (/global/stream) to controltowers, all
wrapped in the consumer’s per-session envelope.
Crucially, gateways do not push aircraft data to one
another. There is no GossipSub, no QUIC peer overlay, no
cross-gateway replication. The optional
/peers/aircraft endpoint exists only so that
consumers (or auditors) can pull a lightweight read-only
snapshot from a peer; it is rate-limited and uses the same
session/envelope contract as every other read.
A reasonable production gateway runs comfortably on 2 vCPU,
2 GB RAM, and 10 GB of disk for ~500 feeders and a
7-day history. The reference deployment terminates TLS with
Caddy and ships a one-command compose.yaml.
ControlTower is the read-side aggregator and presentation layer. A controltower:
/global/aircraft from a Cloudflare
Durable Object).
Promise.allSettled
fan-in — a dead gateway never blocks the others.
partial: true and a sources[] array
rather than silently absorbing the loss.
The reference controltower deploys to Cloudflare Workers + Durable Objects with a hibernating per-DO aircraft cache that polls each gateway every five seconds. The same library can run as a long-lived Node process for a self-hosted operator.
meshsky:// URIA feeder or controltower needs exactly one string to find a gateway:
meshsky://<64-hex-nodeId>?via=https://airbridge.example.com&via=wss://airbridge.example.com/global/stream
The path is the gateway’s node ID — a 32-byte
SHA-256 of its long-lived identity blob, lower-case hex.
Each via= is a transport hint; clients try them in
order and fall back as needed. There is no central registry
to register with.
MeshSky is HTTPS for the request/response surface and WSS for the streaming surface. Every byte of aircraft data on either surface is wrapped in an authenticated AES-256-GCM envelope keyed off a per-session secret. The on-the-wire data model is JSON — not a binary frame format — because the volume is modest and the operational cost of a JSON dump beats the cost of debugging a custom binary format in the field.
Every connection begins with the same three-step exchange.
POST /auth/session HTTP/1.1 Host: airbridge.example.com Authorization: Bearer <AIRBRIDGE_BEARER_TOKEN>
The gateway returns a fresh session:
{
"sessionId": "01J9...",
"sessionToken":"<base64url>.<base64url-hmac>",
"expiresAt": 1730000000000,
"tier": "pro",
"wrappedKey": { "alg": "aes-256-gcm", "payload": "<base64url>" }
}
The client unwraps wrappedKey with its at-rest
master key (AAD = sessionId) to recover the
per-session AES-256-GCM key.
All subsequent REST calls and the WSS upgrade carry:
Authorization: Bearer <sessionToken> X-Meshsky-Session: 01J9...
Sessions are short-lived; clients renew by re-issuing
POST /auth/session. A renewal always
rotates the session key. There is no in-place key rotation
without a fresh session.
Every encrypted payload uses the same byte layout, then base64url-encoded for transport in JSON:
[ 12-byte IV ][ ciphertext ][ 16-byte GCM tag ]
/auth/session.sessionId.A REST response wrapping an envelope uses a stable shape:
{
"encrypted": true,
"alg": "aes-256-gcm",
"payload": "<base64url IV || ciphertext || tag>",
"sessionId": "01J9...",
"generatedAt": 1730000000000
}
A WSS frame is the same envelope shipped as a single text frame.
The format is identical across meshsky-feeder,
meshsky-airbridge, and meshsky-controltower
and is implementable in roughly thirty lines in any language
with AES-256-GCM and base64url support.
| Method | Path | Purpose |
|---|---|---|
| POST | /auth/session | Open or renew a session. |
| GET | /global/aircraft | Snapshot of all aircraft this gateway currently sees. |
| GET | /global/aircraft/{hex}/track | In-memory ring buffer of recent fixes for one ICAO. |
| GET | /global/aircraft/{hex}/history | Durable history from SQLite, time-bounded. |
| GET | /peers/aircraft | Peer-readable snapshot used by other AirBridges or auditors. |
| POST | /feeder/receiver | Feeder reports its receiver location and capabilities. |
| GET | /healthz | Unencrypted liveness probe and node identity. |
The streaming surface negotiates the session ID via the WebSocket subprotocol header:
Sec-WebSocket-Protocol: meshsky.v1.<sessionToken> X-Meshsky-Session: <sessionId>
Two endpoints carry frames inside session envelopes:
/feeder/uplink — feeder → AirBridgekind | Body (after decryption) |
|---|---|
hello | { lat, lon, altM, clockQuality, agent, version, sentAt } |
beast | { bytes: "<base64url frame>", source?: string, sentAt } |
mlat_sync | Verbatim sync payload from mlat-client, plus sentAt |
receiver_location | { lat, lon, altM, clockQuality, reportedAt } |
heartbeat | { framesSent, framesDropped, sentAt } |
/global/stream — AirBridge → ControlTower
The gateway pushes incremental encrypted snapshots whenever
the aircraft table changes materially or on a heartbeat
interval. Frame kinds include hello,
aircraft, rotate (sent when the
session is about to expire), session_expired, and
insufficient_credit.
The envelope and the WSS subprotocol are versioned together:
the subprotocol string is meshsky.v1.<sessionToken>.
A breaking envelope change rolls the subprotocol minor.
Field-level additions to JSON payloads are non-breaking; unknown
keys must be ignored. A major-version bump additionally
requires a published plan for backward-compatible co-existence
with the previous major — rolling forward must never
require a flag day for the network.
Every AirBridge keeps a per-aircraft history of the positions its feeders observed. The history layer is two-tier — a fast in-memory ring buffer for “recent breadcrumbs” and a durable SQLite store for “everything since timestamp T”. A controltower talking to several gateways unions all of their slices into one answer, so the consumer sees the full picture even though no single gateway sees the whole mesh.
For every accepted aircraft update, AirBridge persists one row:
icao — 24-bit ICAO hex address.ts — observation timestamp (ms epoch).lat, lon, alt_baro, alt_geom — position.ground_speed, track, vertical_rate — kinematics.squawk, flight, on_ground — identity & status.position_source — "adsb" or "mlat".source_node_id — the AirBridge that observed it.Updates without a usable position and without kinematic data are dropped on ingest — we never store empty rows.
In front of the SQLite store sits a per-ICAO ring buffer with defaults of 200 points and a 30-minute maximum age. Lazily evicted on read and on every append. This serves the cheap “give me the last N fixes” query without touching disk.
The persistent layer is better-sqlite3 with:
journal_mode = WAL — writers don’t block readers.synchronous = NORMAL — durable enough for telemetry, ~10× faster than FULL.busy_timeout = 5000 — forgive transient lock contention.(icao, ts) — natural dedupe on simultaneous writes.
A background pruner runs hourly and trims rows older than
HISTORY_KEEP_DAYS (default 7).
A controltower may peer with several AirBridges at once
(each sovereign, each holding only the tracks its own feeders
fed it). The ControlTowerHistory helper takes an
array of AirBridgeClient instances and unions
their answers:
Promise.allSettled.partial: true and the per-gateway sources[] array.(hex, ts) and sorted oldest-first.limit.{
"generatedAt": 1730000000000,
"hex": "a12b34",
"count": 3,
"partial": false,
"sources": [
{ "nodeId": "ab-pnw-1", "ok": true, "count": 2 },
{ "nodeId": "ab-pnw-2", "ok": true, "count": 1 }
],
"points": [
{ "ts": 1729999970000, "lat": 47.62, "lon": -122.35,
"altBaro": 33000, "groundSpeed": 462, "track": 285,
"positionSource": "adsb", "sourceNodeId": "ab-pnw-1" },
{ "ts": 1729999985000, "lat": 47.65, "lon": -122.31,
"altBaro": 33000, "positionSource": "mlat",
"sourceNodeId": "ab-pnw-2" }
]
}
Multilateration (MLAT) locates aircraft that don’t
broadcast their own GPS position by measuring the tiny time
differences with which their radio signals arrive at multiple
ground stations. MeshSky uses
wiedehopf/mlat-server and
wiedehopf/mlat-client, which are battle-tested in
the wider community ADS-B ecosystem and licensed under
GPLv3.
To compose them with the MIT-licensed Node code, MeshSky runs them as separate OS processes and talks to them over UNIX sockets. Nothing GPL-licensed is ever linked into the Node code path. This is the standard, audited mechanism for combining permissive and copyleft code without forcing a license change on either side.
feeder host AirBridge host ┌───────────────────────┐ ┌────────────────────────┐ │ meshsky-feeder (MIT) │ AES-256-GCM WSS │ meshsky-airbridge (MIT)│ │ │ │ ◄────────────────────► │ │ │ │ UNIX socket │ │ UNIX socket │ │ │ │ │ │ │ │ mlat-client (GPLv3) │ │ mlat-server (GPLv3) │ └───────────────────────┘ └────────────────────────┘
meshsky-feeder daemon
supervises a wiedehopf/mlat-client child
process that handles the timing and produces an MLAT sync
stream.
wiedehopf/mlat-server over
a UNIX socket. The server solves and emits MLAT positions
back to the gateway.
AircraftTracker and history layer as ADS-B
reports, tagged with position_source: "mlat" so
downstream consumers can distinguish them.
MLAT requires a sky-visible aircraft to be in range of at least four cooperating feeders attached to the same gateway. Coverage compounds with feeder density — a single new urban feeder can light up MLAT for hundreds of square kilometers around itself, and every new feeder strengthens MLAT for everyone in range of the same gateway. Open data with positive externalities.
MeshSky assumes a partially adversarial environment and ships a small, defensible set of mitigations rather than a long list of aspirational ones. This chapter documents both.
MeshSky does not today assume:
Every payload that carries aircraft data — REST response
or WSS frame — is wrapped in AES-256-GCM with the
per-session key from /auth/session. The 16-byte
authentication tag is bound to the session ID via AAD, so an
envelope tampered with after encryption fails to authenticate,
and an envelope replayed against a different session also
fails.
Session keys are short-lived and never reused across sessions. A leaked session key compromises only the data exchanged on that one session; renewing the session rotates the key.
Opening a session requires a bearer token issued by the gateway operator. The bearer is not the encryption key — it gates the ability to get an encryption key. Operators rotate bearers independently of session keys.
The feeder daemon never opens a listening port. There is no inbound attack surface on the edge of the mesh, only outbound TLS connections that the feeder controls.
Gateways do not push aircraft data to each other. A
compromised or adversarial gateway can lie to its own consumers,
but it cannot inject data into other gateways. Controltowers
fan reads across multiple gateways and surface stalls or
failures explicitly via partial: true rather than
absorbing them silently.
wiedehopf/mlat-client and
wiedehopf/mlat-server run as separate OS processes
and communicate over UNIX sockets. They are never linked into
the MIT-licensed Node code. This composition pattern is
well-trodden in the open-source community and avoids the
license entanglement that in-process linkage would create.
The meshsky.io site sets a strict
Permissions-Policy,
X-Frame-Options: DENY,
X-Content-Type-Options: nosniff,
Referrer-Policy: strict-origin-when-cross-origin,
and HSTS with a long max-age and preload.
We follow coordinated disclosure:
MeshSky-the-protocol is free, forever. The MeshSky Foundation offers paid tooling for operators who want managed dashboards, premium APIs, or enterprise SLAs. This chapter documents the bandwidth and operational footprint of running a piece of the mesh, and the tiered offerings around it.
| Tier | Typical traffic | Notes |
|---|---|---|
| Feeder → AirBridge | 10–50 kbps | Beast batches plus optional MLAT sync, replicated 1–N gateways. |
| AirBridge ingest | ~25 Mbps for 500 feeders | Modest by modern standards; comfortably fits a $20/month VPS. |
| AirBridge → ControlTower | 10–200 kbps per consumer | Snapshots are tens of KB; deltas are smaller. Scales linearly with consumers. |
| ControlTower (Cloudflare) | Pay-as-you-go | Workers + Durable Objects pricing; effectively zero at hobbyist scale. |
A volunteer feeder costs roughly $60 in hardware (Raspberry Pi 3B+, RTL-SDR Blog v3, antenna) and a single-digit kilobits-per-second sliver of a residential connection. A community-scale AirBridge gateway hosting ~500 feeders fits comfortably on a 2 vCPU / 2 GB / 10 GB VPS, which retails around $10–$20 per month from any major provider. A Cloudflare-deployed controltower runs in the free tier for low-volume workloads.
| Tier | Price | What you get |
|---|---|---|
| Community | $0/mo | The mesh, the docs, the protocol. Run unlimited feeders, public API access, community support, open-source dashboards. |
| Operator | $29/mo | Hosted feeder dashboards, higher API rate limits, reputation analytics, priority community support. |
| Enterprise | Custom | Private ControlTower deployment, streaming firehose access, dedicated AirBridge capacity, 24/7 SLA & onboarding. |
The mesh stays free. Paid tiers buy convenience and SLA, never access to the data itself.
MeshSky is a protocol and a set of reference implementations, not a hosted product. There is no admin button, no master switch, no vendor lock-in. This chapter explains how the protocol evolves and who decides what.
The MeshSky maintainers act as stewards of the protocol. Today that means:
meshsky.io domain and trademark.Stewardship explicitly does not include:
A formal foundation is on the roadmap. Until then, governance is lightweight — commits and issues in the public repos.
Protocol changes are governed by MeshSky RFCs (Requests for Comment), modeled loosely on the IETF and Rust RFC processes:
github.com/meshsky/rfcs.Major-version envelope or subprotocol bumps additionally require a public plan for backward-compatible co-existence with the previous major — rolling forward should never require a flag day for the network.
The reference code is MIT and the wire contract is documented in the open. Anyone may fork. We expect the strongest argument against any fork to be the operational cost of running and integrating the existing gateways — but if the maintainers ever stray from the principles in §2, forking is the intended remedy.
MeshSky is not finished. The protocol and the reference code are stable enough to deploy today, but several deliberate gaps are tracked publicly.
Today the envelope authenticates the session. We want feeders
to additionally sign their Beast batches with a long-lived
per-feeder identity so that individual observations are
verifiable end-to-end — an auditor consuming
/global/aircraft from a controltower could
cryptographically attribute every fix to the originating
feeder, not just the gateway that relayed it. This is a
non-breaking additive change to the WSS frame format.
A federated mesh that anyone can join needs a way to weight contributors by demonstrated history. The reference design will surface a per-feeder reputation score derived from coverage overlap with other feeders, MLAT solver weight, and historical uptime. The score is advisory — controltowers may use it to weight or filter, but the gateway does not silently drop low-reputation feeders.
We intend to incorporate a non-profit foundation to hold the domain, trademark, and any donations from operators or integrators. The bylaws will mirror the principles in §2.
No external audit has shipped yet. The envelope is small enough to audit informally and the threat model is documented; we will publish results in the open when a formal audit lands.
@meshsky/uri package
The meshsky:// URI parser is intentionally
duplicated across the three reference repos today so any of
them can consume an operator-published address without a
cross-repo dependency. When the API stabilises the parser
will move to a shared @meshsky/uri package and
the duplicates will be removed.
The current AirBridge counts Beast frames; full Beast decoding
into normalized aircraft records is in progress and the
stable wire surface (/global/aircraft) does not
change as a result.
dump1090 and readsb to expose decoded radio frames to downstream consumers. Default port 30005.meshsky:// URI.| Repository | Role |
|---|---|
github.com/meshsky/meshsky-feeder |
Outbound-only feeder daemon. Beast tap, AES-256-GCM uplink, optional MLAT supervisor, multi-gateway fan-out. |
github.com/meshsky/meshsky-airbridge |
Sovereign Fastify+WSS gateway. Ingests feeder uplinks, persists history, serves encrypted snapshots. |
github.com/meshsky/meshsky-controltower |
Read-side aggregator library and CLI. Cloudflare Workers + Durable Objects reference deployment. |
github.com/meshsky/meshsky-website |
This document and the meshsky.io marketing & docs site. |
All four repositories are MIT-licensed. The
wiedehopf/mlat-client and
wiedehopf/mlat-server binaries are GPLv3 and are
invoked strictly as separate OS processes via the supervisor
modules in meshsky-feeder and
meshsky-airbridge.
This whitepaper is released under CC BY 4.0. Suggested citation:
MeshSky Foundation. "MeshSky: An Open, Decentralized Mesh for Aviation Telemetry." v1.0, May 2026. https://meshsky.io/whitepaper/meshsky-whitepaper.pdf
BibTeX:
@techreport{meshsky2026whitepaper,
title = {{MeshSky: An Open, Decentralized Mesh for Aviation Telemetry}},
author = {{MeshSky Foundation}},
institution = {MeshSky Foundation},
year = {2026},
month = {may},
type = {Whitepaper},
number = {v1.0},
url = {https://meshsky.io/whitepaper/meshsky-whitepaper.pdf}
}
Contact — General: hello@meshsky.io · Security: security@meshsky.io